commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [site][build-plugin] Keys link link on download page
Date Mon, 29 Dec 2014 20:51:21 GMT
On 29 December 2014 at 20:13, Bernd Eckenfels <ecki@zusammenkunft.net> wrote:
> Am Mon, 29 Dec 2014 20:01:29 +0000
> schrieb sebb <sebbaz@gmail.com>:
>
>> On 29 December 2014 at 19:48, Bernd Eckenfels
>> <ecki@zusammenkunft.net> wrote:
>> > The download page of apache commons reads like there is supposed to
>> > be a KEYS column in the table. But it is now a general link, so I
>> > would apply the following changes, if you agree:
>>
>> I think the reference to the KEYS file needs to come before the
>> hashes. We want to encourage sig checking as the primary way to check
>> downloads.
>>
>> But I agree that the text needs some TLC.
>
> Cool, how is this:
>
>       <p>
>         Please <a href="http://www.apache.org/info/verification.html">verify the
integrity</a>
>         of downloaded files against the public code signing
>         <a href="http://www.apache.org/dist/commons/KEYS">KEYS</a>
>         used by the Apache Commons developers.
>       </p>
>       <p>
>         The <code>pgp</code> link downloads the OpenPGP compatible signature
from our main site.
>         The <code>md5</code> link downloads the checksum from the main site.
>       </p>
>

Better, but the verification is not actually against the KEYS file.
How about:

      <p>
        It is essential that you <a
href="http://www.apache.org/info/verification.html">verify the
integrity</a>
        of downloaded files, preferabley using the <code>PGP</code>
signature; failing that using the <code>MD5</code> hash.
      <p>
      </p>
        The <a href="http://www.apache.org/dist/commons/KEYS">KEYS</a>
file contains the public keys
        used by Apache Commons developers to sign releases.
        It is used in conjunction with the <code>PGP</code> signature
for the download
      </p>
      <p>
        The <code>PGP</code> link downloads the OpenPGP compatible
signature from our main site.
        The <code>MD5</code> link downloads the checksum from our main site.
      </p>


I'm sure this could be improved further.

The generated links should probably also upcased to PGP and MD5 so
they stand out better.

> Gruss
> Bernd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message